Wednesday, September 9, 2015

Zone Base Firewall Policy - self zone

In my last post I tested some features of ZBFP and how traffic is
processed by the firewall and some interfaces are not part of ZBFP
configuration. Today I’d like to test ‘self-zone’ because it works a bit
different. I’m going to work on a configuration from my last post.

As you remember I created policy for traffic from R2 to R3. I also
tested connection from R2 to R4 and it didn’t work (R4 is not a member
of any zone) but traffic from R5 to R4 is allowed (both are not members
of any zone).

As you see both failed what means that despite lack of SELF-INS
policy the returning packets are matched by INS-SELF policy. The policy
action is 'inspect’ and ZBFP checks if such session exists. In my case
they didn’t exist and it was dropped. Once I change the action from
'inspect’ to 'pass’ one of them should work:

once we define a zone pair (with self zone) in one direction, it has an impact on traffic to and from the firewall

if one protocol is not allowed in one direction, you can’t
connect in the opposite direction as well as returning packets are
dropped

if one protocol is allowed in one direction and the action is
'inspect’, the opposite direction is not allowed as well as the policy
will check if such session exists in the session table. Once you change
the action to 'pass’ it will work

traffic from and to hosts connected to different interfaces is not restricted

for routing protocols action 'inspect’ is not allowed, you can only 'pass’ (due to the multicast protocol)

Standard zone:

if you have interfaces that are members of zones, traffic from/to
interface that is not part of any zone and such zone pair doesn’t
exist, is not allowed

if you have a ZBFP configured on router, traffic between
interfaces that are not members of any zone is not controlled by the
ZBFP and by default is permitted.